Crooks are Reviving the Grandoreiro Banking Trojan
In a concerning resurgence, the notorious Grandoreiro banking trojan has been spotted back in action, targeting users in Latin America and Europe through sophisticated phishing campaigns. This modular backdoor, which has been active since 2016, initially focused on Brazil but expanded its reach to Mexico, Portugal, and Spain as early as 2020.
Forcepoint X-Labs researchers have sounded the alarm about the new phishing campaigns, warning of a wave of attacks aimed at users in these regions. The Grandoreiro trojan is known for its ability to support various capabilities, including encryption, password protection, and credential theft.
The latest campaigns, which use VPS hosting and obfuscation techniques to evade detection, have been uncovered by cybersecurity firm Forcepoint. According to the researchers, the attackers are using Contabo-hosted links to deliver obfuscated Visual Basic scripts and disguised EXE payloads, with the ultimate goal of stealing sensitive credentials.
The phishing emails impersonate tax agencies, making it difficult for users to distinguish them from legitimate messages. The emails contain malicious links that redirect users to VPS or dedicated servers hosted on Contabo, which are used to download a zip payload from MediaFire. This zip file often contains a password-protected, obfuscated VBS script that decodes a base64 stream and drops an EXE file in the system directory.
Upon user interaction, the extracted 32-bit EXE file is compiled with Delphi and masquerades as a PDF, triggering an Acrobat Reader error. The malware then connects to a C2 server (18.212.216.95) and searches for personal data, including Bitcoin files, system GUID, computer name, and language settings.
The Grandoreiro trojan uses a custom URI Client and unusual port numbers to communicate with the server, making it even more difficult to detect. Attackers frequently change subdomains under contaboserver[.]net to evade detection, adding an extra layer of complexity to the attacks.
Indicators of Compromise (IoCs)
Forcepoint has included a list of Indicators of Compromise (IoCs) in their report, which includes specific domains, IP addresses, and other characteristics that are associated with the Grandoreiro trojan. These IoCs can be used by security professionals to detect and block the malware.
Fighting Back Against the Grandoreiro Trojan
As with any threat actor, the best way to fight back against the Grandoreiro trojan is through education and awareness. Users must be vigilant when it comes to receiving suspicious emails or messages that seem too good (or bad) to be true.
In addition to user education, cybersecurity professionals can use the IoCs provided by Forcepoint to detect and block the malware. Regular software updates, security patches, and backups can also help to mitigate the damage caused by the Grandoreiro trojan.
Stay Safe Online
The threat landscape is constantly evolving, with new threats emerging all the time. By staying informed and taking proactive steps to protect yourself and your organization, you can reduce your risk of falling victim to cybercrime.
Follow us on Twitter (@securityaffairs), Facebook, and Mastodon for the latest news and updates on cybersecurity threats like the Grandoreiro banking trojan.